Leveraging RBI for gradual GenAI adoption

  • 28 May 2024
  • 0 replies
  • 127 views

Userlevel 3
Badge +11
  • Netskope Employee
  • 8 replies

Hello Netskope Community, 

 

You’ve probably seen some other Netskope publications around GenAI adoption but this one specifically addresses organizations that haven’t started their journey yet and want to leverage a Zero Trust approach when it comes to GenAI apps like ChatGPT and others which have been fueling a lot of development and discussion at organization of all sizes due to its innovation possibilities but also by their perceived risks. 

 

With the recent announcement of the extended license of RBI, admins can utilize our Remote Browser Isolation technology to provide access to apps based on application tags and their observed risk translated through the CCL (Cloud Confidence Level) values. Let's explore two scenarios which are possible by using this approach:

 

  1. Company has currently been blocking all GenAI apps but wants to allow access to at least ChatGPT via Remote Browser Isolation so users cannot paste corporate data into it or copy from it but still interact with the Assistant. 
  2. Company currently uses ChatGPT but wants to allow access to other GenAI apps with Low CCL via RBI so preventing copy/paste or file uploads into the sessions. 

 

Use-Case #1 - Block all GenAI apps but allow access to ChatGPT through RBI. 

 

The advantage of this first use-case is that the company can gradually allow access to a single GenAI tool which has been vetted out by the organization but in a safe environment and controlling which interactions can happen in the session. The most powerful advantage provided by RBI in this use-case is the clipboard control which would allow, for example, a marketing person to get ideas on titles for an article but not paste sensitive data to it for data processing. 

 

The first step is to tag the ChatGPT application as a sanctioned application in CCI. Here is an example of how that would look like: 

 

70MwM6zPOp397pxWBI9c9K6-xlKJ_m5psdDGShG2-W0svP9thYu9IirQyYRPpKIH9B2Ypa2gsDSZzqFJamMr9uUmQ-6lEuto5krPaO4WSQCKWs2rY91uHuPddt8FN_I7OdgxmFdB06nPkzi96yXNhsg

Custom tag named “genai-sanctioned” created

 

After the application has been properly tagged, you now create an RBI profile that matches the actions that will be allowed inside the RBI session. In this example I'm setting up a profile that doesn’t allow pasting data to prevent sensitive data misuse. 

 

svhTN2iYxDn781JRf9LTsIdJ2Ip2pWTuVNV8egmIpJUe1s4eowdi1TR7bWLOfPBsuvJC57sfk4-sQwyyxQI_MfRO91n-d0FMwj0vnLtUqVfRwUvtI5co_yovY4PYe-u81mfKmPnSi6JH6Hh_IC0dB3o

RBI template that prevents pasting data or file uploads

 

Last step is to create the Real-Time policy that wires together the Generative AI category, the tag and the RBI profile. 

 

JoaJeDi3dgjrQi6Dwe_ufZ2YILmYtKmO0yJNHqbFXt2COkuD7xGR4osLKujKSALQ7xo1LG7PP0AMRxuXRxaYSHo2lAP-_tP1_P8P4CeF9gXXUdkEIe5oB_tu2n0miCYyO44gytd4mIa2vBQsa8byTaY

Real-Time policy for GenAI apps with the genai-sanctioned tag 

 

Now to conclude this first use-case, let's browse to ChatGPT and see what the result is. Please note the blue frame around it (which by the way, now can be re-colored to match your company corporate identity).

 

dwsnfaf64WWMFVNRKrF7qcaDwaX_SgeqwmoEA5IhEQG4dLh9gGl4Wele7K_dLN8o8ri6wVLeRqZ-j_aP06bWpwKQN1pD_X-uFCJGQBcGPGFnKBphg7Ey8ox-5-WwQlhN2iyiER6Kw19YxL-Jo5JzYRs

Users can interact but cannot paste or upload files inside the RBI session

 

Use-Case #2 - Allow restricted access to genAI apps with Medium/Low CCI via RBI. 

 

In this case, sanctioned apps will have direct access but still be protected by Netskope’s DLP, Threat Protection and Analytics, but any other apps with a Medium/Low CCL which translates into a low confidence score can only be accessed via RBI. 

 

Let's use the same RBI profile from before but set up our Real-Time policy to accomplish the desired outcome. 

 

uQrQm1TD0BHLEUhKz_5cKUmp35Gddc44oHQZTTUUJ9Rw9Ie43PzADjEXzrY6iGs7JLTAjMKKaj39Nhr5TLxkvu1t-QNBGCjJX8sHE3HN4OszLHDIFx6fyQG-VP5Q5yNWmNvraU5IjZUZOfzeVJ8c4q0

Policy that enables RBI for Low CCL GenAI apps 

 

Now you just need to add another policy with an action set to “allow” for any other sanctioned apps that have the “genai-sanctioned” tag we created in the first use-case. 

 

This is how the result will look like, using askyourpdf.com which has a “Poor” CCL in the Netskope CCI database. 

 

kROpWt4SFq4Eq5zi6SkzK6_GlWkviRqOmkKbe2JoI5btsIwqs9fnyNZr8gHsfx6lfRs8XpCD4J-PPt8CXwODHJnvd8ohNIzjapdrqkJh98zItjUne1ciP4x_wvF9mrgZz4afG-l0vZAcvaFMLWNF4S0

Users can interact but cannot perform high risk activities like paste or upload on Low CCL apps 

 

In both cases, all user interactions will be available in SkopeIT and Advanced Analytics so the organization can track the use of apps and their associated risk promoting informed changes to the policies related to adoption of these new apps. 

 

We demonstrated how RBI can be used to create a gradual adoption strategy for Generative AI apps, since, in addition to the file controls presented by Netskope’s platform it can also perform copy/paste control to the isolated environment resulting on the following business outcomes: 

 

  • Reduce intellectual property leak risks 
  • Prevention of unintentional data sharing 
  • Maintain data privacy compliance (PCI, HIPAA, GDPR and others)
  • Prevent unintended data sharing with 3rd parties 


 

Thanks for reading my article and stay safe out there! 

 


0 replies

Be the first to reply!

Reply